Today, I found few new variants of the old scam. Looks like the
spammers are more benefited with this spam message “A young Girl killed herself after her dad posted a secret of her on her fb wall” since they spread the same message again and again in different methods.
Once you click on the link in the spam messages you will be redirected to
a website like shown below. Where it will asks you to install a plugin named “OMX
plugin”. Here a famous French web hosting site has been used to a create free domain name and redirect traffic to “watch-status.blogspot.com" domain which host the malicious link to the site http://mysibrand.info/index11.php.
Above you are able to see only “http://newtocheck.c.la/ in the address bar actually you are restricted to view the other 2 malicious sites (watch-status.blogspot.com & mysibrand.info/index11.php) which are responsible for displaying the above content.
Once you install these plugins it will initiate the java scripts(script.js
& extra.js) present in the remote site “http://COUPONCI.INFO/test/”. These scripts
run behind and spam your wall with the message "Omg , A young Girl killed herself
after her dad posted a secret of her on her fb wall.... check dad post
at===> Link to FB Photo which contains malicious link”
Then your wall will look something like this,
Above what you see is link to a photo in an hacked facebook account where it contains the malicious link to
spread.
Below what you see is the
compromised facebook account with a photo uploaded and also contains malicious link.
After posting these spam messages it will redirect you to the site 'http://soshocking2011.blogspot.com" and prompt you to
complete the surveys.
The scammers earn commission for every survey that is completed. Their work is to drive traffic to the online surveys and make people enter their personal details. Then these details are used by marketing companies. The affiliate marketing company here is cpalead.com please check the below java script.
Below is the removal instructions to remove the installed malicious plugin.
If you're Firefox user go to Tools->Add-ons->Extension->Uninstall
If you’re Chrome user go to Tools->Extensions->Remove
Always install Add-ons/Extensions from known sources.
Domains spreading this infection are www.DRAMEATFB.c.la, www.BADPOST.c.la, www.SADSTORY.c.la, www.NEWONFB.c.la,www.NEWSATFB.c.la, www.NEWS-FB.c.la, www.SADPOST.c.la, www.NEWS-NEW.c.la, www.NEWTOPSEE.c.la, newtoseethis.blogspot.com, watchmenoze.blogspot.com, watchthatnewsd.blogspot.com, watchmenow1.blogspot.com, dad-post.blogspot.com, ayoubilo.info/plugin.html, umustseethat.info/youtube.xpi, checkthatfast.info/youtube.crx,
Below seen are similar spam messages,
"A drame about a future women who had ended her life after a status update posted on her fb wall by her father.... check all story and dad post at ===> www.DRAMEATFB.c. la (remove space between c and la)"
"This is a sad story happened on fb theatre when a lovly teenage sucided after her dad reval a deep secret of fer via a post on her fb wall...... check all story and dad post at ===> www.BADPOST.c. la (remove space between c and la)"
"This is unbelievable..shocking.. A Teenage ENDED her life on Halloween After A Dad Posted on Her Wall.. check all story and dad post at ===> www.SADSTORY.c. la (remove space between c and la)"
"A schoolgirl killed herself at the second attempt three hours after her dad has posted asecret of her on her fb wall...... check all story and dad post at ===> www.HOTNEWS.c. la (remove space between c and la)"
"poor teenage killed herself at the second attempt three hours after her dad has posted asecret of her on her fb wall...... check all story and dad post at ===> www.SADNEWS.c. la (remove space between c and la)"
"A LITTE young killed herself after her dad posted a secret of her on her fb wall.... check dad post at ===> www.YEPSEE.c. la (remove space between c and la)"
"- Hot and dramatique story happened to schoolgirl and ended dangerousely (on facebook) ...;;; : follow link to know story : ===(remove space between (c )and (la))===> www.CHECK-HERE.c. la)==>"
"i start crying after i see what happened to jessica ... unstead of i dont know her : check all the story at : www.watch-that.c. la (remove space between c and la)"
"plz Be careful to what you post on (facebook) cause that can finish dramatiquely ...;;; : follow link to know story : ================(remove BRACKET ( ) from url ===>www.TO-POST.(c).(la)"
"i hope that not will happed to you follow link to know story : ================(remove BRACKET ( ) from url ===>www.TO-POST.(c).(la)"
"Take a look and be carefull to what you post on (facebook) ...;;; : follow link to know story : ================(remove BRACKET ( ) from url ===>www.NOW-watch.(c).(la)"
"what you post on (facebook) can finish dramatiquely so pay attention to your post ...;;; : follow link to learn more and to know story : ================(remove BRACKET ( ) from url ===>www.DADPOSTLINK.(c).(la)"
Similar Domains spreading this infection are http://bit.ly/y47rcd, http://nouutreet.blogspot.com/?4937, http://moderntosee.info/plugin.html, http://mysibrand.info/watch/prenium.crx, http://mysibrand.info/s.js, http://mysibrand.info/e.js, http://mysibrand.info/f2/f.js
Warning: Above seen are all malicious links. Don't ever try to access them.
Thank You. Information Was Much Needed.
ReplyDeleteThanks. Good work.
ReplyDelete